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1 CLAIMS 

2 I Claim: 

3 1. A system for detecting and restricting denial of service attacks, 

4 comprising: 

5 a transmit algorithm to receive packets from a software application and discard 

6 packets that are determined to be from a zombie application; 

7 a receive algorithm to receive packets from a network interface and discard 

8 packets that are determined to be from a zombie application; and 

9 a monitor code in communications with the transmit algorithm and the receive 



10 algorithm to track the pattern of packet transmission and reception to and from the 

11 software application and determine that the software application is a zombie 

12 application based upon the pattern of packet transmission and reception. 

1 2. The system recited in claim 1 , wherein said monitor code determines 

2 that the software application is the zombie application by identifying that the software 

3 application is transmitting a large number of packets without receiving any packets 

4 and placing the software application on a zombie list or a watch list. 

1 3. The system recited in claim 2, wherein said monitor code alerts the user 

2 and the transmit algorithm and receive algorithm that a software application is a 

3 zombie application when the software application has previously been placed on the 

4 zombie list or the watch list and the software application is still transmitting a large 
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5 number of packets without receiving any packets. 

1 4. The system recited in claim 1 , wherein said monitor code determines 

2 that the software application is the zombie application by identifying that the software 

3 application is not receiving any packets and placing the software application on a 

4 watch list. 

1 5. The system recited in claim 4, wherein said monitor code alerts the user 

2 and the transmit algorithm and receive algorithm that a software application is a 

3 zombie application when the software application has previously been placed on the 

4 watch list and the software application is now transmitting a large number of packets. 

1 6. The system recited in claim 1 , wherein said monitor code determines 

2 that the software application is a possible zombie application by identifying that the 

3 software application is rarely receiving any packets and placing the software 

4 application on a watch list. 

1 7. The system recited in claim 6, wherein said monitor code alerts the user 

2 and the transmit algorithm and receive algorithm that a software application is a 

3 zombie application when the software application has previously been placed on the 

4 watch list and the software application is now transmitting a large number of packets. 

1 8. The system recited in claim 1 , wherein said monitor code determines 
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2 that the software application is a possible zombie application by identifying that the 

3 software application has stopped receiving any packets or receiving packets and 

4 placing the software application on a watch list. 

1 9. The system recited in claim 8, wherein said monitor code alerts the user 

2 and the transmit algorithm and receive algorithm that a software application is a 

3 zombie application when the software application has previously been placed on the 

4 watch list and the software application is now transmitting a large number of packets. 

1 10. The system recited in claim 3, wherein said monitor code will retain an 

2 application on the watch list when a zombie rating exceeds a predetermined value, 

3 said zombie rating is based on the factors of whether the software application is an 

4 application or a process and whether the application is user initiated or initiated at 

5 system startup. 

1 11. The system recited in claim 5, wherein said monitor code will retain an 

2 application on the watch list when a zombie rating exceeds a predetermined value, 

3 said zombie rating is base on the factors of whether the software application is an 

4 application or a process and whether the application is user initiated or initiated at 

5 system startup.. 

1 12. The system recited in claim 7, wherein said monitor code will retain an 

2 application on the watch list when a zombie rating exceeds a predetermined value, 
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3 said zombie rating is base on the factors of whether the software application is an 

4 application or a process and whether the application is user initiated or initiated at 

5 system startup. 

1 13. The system recited in claim 9, wherein said monitor code will retain an 

2 application on the watch list when a zombie rating exceeds a predetermined value, 

3 said zombie rating is base on the factors of whether the software application is an 

4 application or a process and whether the application is user initiated or initiated at 

5 system startup. 



1 14. A method of detecting and restricting denial of service attacks, 

2 comprising: 

3 monitoring incoming and outgoing packets to and from a software application; 

4 placing said software application on a zombie list or a watch list when a pattern 

5 of the incoming or outgoing packets from the software applications matches that of the 

6 characteristics of a zombie application; and 

7 blocking reception and transmission of packets to the software application when 



8 the software application has been placed on the watch list or the zombie list in a 

9 previous cycle and the software application further exhibits the characteristics of a 
10 zombie application. 

1 15. The method recited in claim 14, wherein the characteristics of a zombie 

2 application are transmitting a large number of packets while receiving no incoming 

3 packets. 
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1 16. The method recited in claim 14, wherein the characteristics of a zombie 

2 application are receiving no incoming packets and having a zombie rating exceeding 

3 a predetermined value. 

1 17. The method recited in claim 16, wherein said zombie rating is based on 

2 the factors of whether the software application is an application or a process and 

3 whether the application is user initiated or initiated at system startup. 

1 18. The method recited in claim 1 4, wherein the characteristics of a zombie 

2 application are rarely receiving incoming packets and having a zombie rating 

3 exceeding a predetermined value. 

1 1 9. The method recited in claim 1 8, wherein said zombie rating is based on 

2 the factors of whether the software application is an application or a process and 

3 whether the application is user initiated or initiated at system startup. 

1 20. The method recited in claim 14, wherein the characteristics of a zombie 

2 application are receiving incoming packets at first and then not receiving or sending 

3 any packets and having a zombie rating exceeding a predetermined value. 

1 21 . The method recited in claim 20, wherein said zombie rating is based on 

2 the factors of whether the software application is an application or a process and 
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3 whether the application is user initiated or initiated at system startup. 

1 22. A computer program, comprising: 

2 monitoring incoming and outgoing packets to and from a software application; 

3 placing said software application on a zombie list or a watch list when a pattern 

4 of the incoming or outgoing packets from the software applications matches that of the 

5 characteristics of a zombie application; and 

6 blocking reception and transmission of packets to the software application when 

7 the software application has been placed on the watch list or the zombie list in a 

8 previous cycle and the software application further exhibits the characteristics of a 

9 zombie application. 

1 23. The computer program recited in claim 22, wherein the characteristics 

2 of a zombie application are transmitting a large number of packets while receiving no 

3 incoming packets. 

1 24. The computer program recited in claim 23, wherein the characteristics 

2 of a zombie application are receiving no incoming packets and having a zombie rating 

3 exceeding a predetermined value. 

1 25. The computer program recited in claim 22, wherein said zombie rating 

2 is based on the factors of whether the software application is an application or a 

3 process and whether the application is user initiated or initiated at system startup. 
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1 26. The computer program recited in claim 25, wherein the characteristics 

2 of a zombie application are rarely receiving incoming packets and having a zombie 

3 rating exceeding a predetermined value. 

1 27. The computer program recited in claim 26, wherein said zombie rating 

2 is based on the factors of whether the software application is an application or a 

3 process and whether the application is user initiated or initiated at system startup. 

1 28. The computer program recited in claim 22, wherein the characteristics 

2 of a zombie application are receiving incoming packets at first and then not receiving 

3 or sending any packets and having a zombie rating exceeding a predetermined value. 

1 29. The computer program recited in claim 28, wherein said zombie rating 

2 is based on the factors of whether the software application is an application or a 

3 process and whether the application is user initiated or initiated at system startup. 
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